Data protection violations: Managing directors and board members are personally liable
Managing directors and board members and, where applicable, employees and data protection officers are personally liable in the event of data protection violations.
Companies process personal data in many ways, including customer data used in email marketing. The General Data Protection Regulation (GDPR) specifies how personal data is to be handled and what happens in the event of breaches and violations.
What sums are we actually talking about here?
Articles 82 and 83 of the GDPR regulate corresponding sanctions in the event of a breach of the protective provisions of the GDPR. Article 82 GDPR regulates the claims for damages by the injured party. These claims are not limited in amount. Article 83 GDPR clarifies that the competent supervisory authorities may impose fines that can be up to Euro 20 million or up to 4% of the company’s annual global turnover. So in both cases, the penalties can be significant and can threaten a company’s very existence. Experience since the GDPR came into force in 2018 also shows that the amount of fines imposed in the EU has steadily increased, see also our blog post on the topic.
Who is liable for data protection breaches under the GDPR?
Pursuant to Articles 82 and 83 of the GDPR, the controller or processor is liable. According to Art. 4 (7) GDPR, “controller means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data”. Accordingly, the company itself is responsible in the first instance. The extent to which managing directors, board members or employees of the company are also personally liable is not clear from this provision.
- The liability of the managing director or executive board
The liability of the managing director or board of directors results from two important court decisions:
The Dresden Higher Regional Court (OLG) recently ruled that managing directors are their own data protection controllers within the meaning of the GDPR and are therefore also personally liable (ruling of the OLG Dresden of 30.11.2021 (file number 4 U 1158/21).
The ECJ in a previous judgment (judgment of 10.7.2018, case number C-25/17) developed criteria according to which a person is a controller within the meaning of the GDPR. Accordingly, a managing director is liable if they benefit from the data processing, cause or tolerate it and have access to the data themselves or process it themselves.
In addition, the general liability rules of corporate law also give rise to personal liability for managing directors or board members under certain circumstances if they fail to perform their duties conscientiously and diligently (see Section 43 of the German Limited Liability Companies Act – GmbHG and Section 93 (2) of the German Stock Corporation Act – AktG), because it is also part of their duties to comply with data protection regulations. In doing so, they must obtain comprehensive information and advice and check that the company complies with data protection regulations.
- The liability of employees
Employees are liable for data protection violations under the GDPR only if they have violated data protection rules intentionally, i.e. knowingly or deliberately or with gross negligence.
- The liability of the data protection officer
External data protection officers are liable to the company for violations of the GDPR. This may be the case, for example, if they do not provide correct or sufficient advice or do not adequately monitor the data processing procedures in the company.
If the data protection officer is employed by the company, their liability is also limited in accordance with the above principles for employees.
Conclusion and recommendation
Board members and managing directors, as well as self-employed data protection officers, can be held personally liable for claims for damages and fines, in addition to the company itself, if personal data is used in email marketing. For salaried employees, this is possible to a very limited extent.
Data protection is relevant for all employees as well as company management. Appropriate training on handling personal data in email marketing, clear responsibilities, and the introduction of control mechanisms are essential.
The CSA supports its certified participants with always up-to-date information on legally correct email marketing with introductory as well as advanced events and publications in a wide variety of formats.